So I have many exploitable things, like cash, and character values. How do I ensure that these things cannot be exploited?
This has been asked many times and there’s actually a post dedicated to this topic. Check it out here, you’ll learn the basics of securing your game: Exploiting Explained
Save, create and manage these values server side only. Do NEVER i repeat NEVER let the user identify itself to the server by sending in an identification in the form of a parameter.
Setting up restrictions and checks on the server side also minimizes calls that will be exploited.
You can test exploiting your own game by being in the client and changing values and such and see if they got exploited or not. I’m currently developing a tycoon game and I’m using DataStore2 to store all the users save data and all the management of it on the server side with limited functions and a lot of checks on the values sent in.
For things like cash and values on a character make sure you are changing, modifying and checking these values on the server and in this case there is no need for remotes.
You can’t stop exploiting. You can mitigate or prevent it but, stopping entirely is not possible.
A great tip is to think of the client (player) as being hostile. If they want food, they need to be authentic. If not, reject and toss aside.
So, when im checking if a player has enough cash for the item per say, I should check it in the server, not in the client?
Yes, it should be checked on the server - you cannot trust the client at all. Generally, you would do sanity checks. Exploiting, in general, can’t be stopped - you can slow them down, but you can’t stop them
My main problem is im absolutely terrified of having my game leaked, its a problem that noone knows how to solve, are there any very useful ways to stop it, or prevent it?
As far as your game being leaked goes, unless somebody in a Team Create leaks files, only LocalScripts and other Instances that aren’t server scripts or things stored in ServerStorage can be replicated/saved by exploiters.
Also, some more advice I can give you is to put cooldowns on your remotes. If you have a remote for any sort of quest or job, make sure it can’t be spammed, especially if that remote has any sort of currency or item involved.
Wait, I have pretty much all my tools storage in serverstorage, should I move those to replicated?
Exploiters pretty much can read the bytecode of the scripts, so you can’t stop them from stealing all of your client code. You could try obfuscation though. They can’t read bytecode of server scripts, nor read the descendants of ServerStorage, so
ServerStorage is great for tools. No problems there.
I wouldn’t like my tools to be found, like models being stolen, how do I prevent them from finding it?
Obfuscation is good but I wouldn’t worry about it too much. Exploiters don’t really want to steal your GUIs and all that, and that should be what LocalScripts are handling. If your LocalScripts are doing other things or holding sensitive information however, you should try to rewrite them to be based on the server.
At the worst that an exploiter goes ahead as says “time to save everything lul!”, not much can happen other than him having some models on his hard drive and a few local scripts/module scripts. It never escalates much beyond that point.
Also, exploiters can’t read server-side code so tools can’t necessarily be stolen.
To put it simeply, make sure that you confirm everything from the client side.
Why are they exploitable? Do you have some kind of remote that lets a player arbitrarily increase their cash?
If so, this is bad design. Doing that is just begging for your game to be exploited.
Here is how should it go:
Client: “Can I please get cash? I did what I was supposed to do.”
Server: “Let’s see…nope you didn’t do it! No cash!”
if they did do it it should go like
Server: “Yes you did it, here is some cash.”
Better yet, don’t even have the client tell the server if they’re ready. The server tells the client they’re ready for a reward.
if something can be safely checked on the client without being abusable then sure check on the client
By the way I wouldn’t recommend obfuscation as it is gonna make your code hell to debug, and it can decrease performance.
And yeah this type of post on preventing exploits has been done million’s of times.
Correct. Those checks are referred to as “Sanity Checks”. Anything that you put in a localscript, the client has access to. Naturally, this data can be manipulated by an exploiter to fit their needs. Always check to see if the data being sent is valid before it’s being pushed server-wide.